CVE-2024-38074
📋 TL;DR
CVE-2024-38074 is a critical remote code execution vulnerability in Windows Remote Desktop Licensing Service that allows unauthenticated attackers to execute arbitrary code on affected systems. This affects Windows servers running Remote Desktop Licensing Service, potentially enabling complete system compromise. Organizations using Windows Remote Desktop Services are at risk.
💻 Affected Systems
- Windows Server
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system takeover leading to domain compromise, data exfiltration, ransomware deployment, and lateral movement across the network.
Likely Case
Initial foothold on vulnerable servers leading to credential theft, persistence establishment, and further network exploitation.
If Mitigated
Limited impact due to network segmentation, strict firewall rules, and disabled vulnerable services.
🎯 Exploit Status
Microsoft rates this as 'Exploitation More Likely' and the vulnerability is wormable. No public exploit code is known at this time.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: July 2024 security updates (KB5040442 for Server 2022, KB5040437 for Server 2019)
Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38074
Restart Required: Yes
Instructions:
1. Apply July 2024 Windows Server security updates via Windows Update. 2. Restart affected servers. 3. Verify Remote Desktop Licensing Service is updated to patched version.
🔧 Temporary Workarounds
Disable Remote Desktop Licensing Service
windowsStop and disable the vulnerable service if not required for operations
sc stop TermServLicensing
sc config TermServLicensing start= disabled
Block RDP Licensing Ports
windowsBlock network access to Remote Desktop Licensing Service ports
netsh advfirewall firewall add rule name="Block RDP Licensing" dir=in action=block protocol=TCP localport=135,139,445,3389,5720 remoteip=any
🧯 If You Can't Patch
- Implement strict network segmentation to isolate Remote Desktop Licensing servers
- Deploy application control policies to prevent unauthorized code execution
🔍 How to Verify
Check if Vulnerable:
Check if Remote Desktop Licensing Service is installed and running: Get-Service TermServLicensingCheck Version:
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"Verify Fix Applied:
Verify July 2024 security updates are installed: Get-HotFix -Id KB5040442, KB5040437📡 Detection & Monitoring
Log Indicators:
- Event ID 4625 failed logons to RDP Licensing Service
- Unexpected service starts/stops of TermServLicensing
- Process creation from svchost.exe hosting licensing service
Network Indicators:
- Unusual connections to TCP ports 135, 139, 445, 3389, 5720
- Anomalous RDP licensing protocol traffic patterns
SIEM Query:
source="windows" AND (event_id=4625 AND service_name="TermServLicensing") OR (process_name="svchost.exe" AND command_line CONTAINS "TermServLicensing")